07856d463630e953e218d3c66cb326a40a851c5dbbf3fb07ac64a8fc2f31d3b5

General

Target

23ac2d81fea6facbc3902139e14e5e4b.exe
Size

15.7MB
MD5

23ac2d81fea6facbc3902139e14e5e4b
SHA1

08f40a961c3ba7ed4d2b6f7295696ffbe8b303da
SHA256

07856d463630e953e218d3c66cb326a40a851c5dbbf3fb07ac64a8fc2f31d3b5
SHA512

5b7a68c8bc0fbe34761faf4c4577ebe432b2b59b168be0e549141500c6cfab9d0d066a773723897f4ae2e177be0dddbd274a0d7f46ce31e0a42b32e2904c5b4f
SSDEEP

393216:N/qbMrnMSDyUbMrnPbYbMrnMSDyUbMrnhZZbMrnMSDyUbMrnPbYbMrnMSDyUbMrn:NqbMrn1DyUbMrnzYbMrn1DyUbMrnhnbq

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2276	23ac2d81fea6facbc3902139e14e5e4b.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	23ac2d81fea6facbc3902139e14e5e4b.exe

Loads dropped DLL 1 IoCs

pid	Process
2532	23ac2d81fea6facbc3902139e14e5e4b.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2532-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/memory/2532-16-0x0000000024D90000-0x0000000024FEC000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2748	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2532	23ac2d81fea6facbc3902139e14e5e4b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2532	23ac2d81fea6facbc3902139e14e5e4b.exe
2276	23ac2d81fea6facbc3902139e14e5e4b.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2276	2532	23ac2d81fea6facbc3902139e14e5e4b.exe	25
PID 2532 wrote to memory of 2276	2532	23ac2d81fea6facbc3902139e14e5e4b.exe	25
PID 2532 wrote to memory of 2276	2532	23ac2d81fea6facbc3902139e14e5e4b.exe	25
PID 2532 wrote to memory of 2276	2532	23ac2d81fea6facbc3902139e14e5e4b.exe	25
PID 2276 wrote to memory of 2748	2276	23ac2d81fea6facbc3902139e14e5e4b.exe	26
PID 2276 wrote to memory of 2748	2276	23ac2d81fea6facbc3902139e14e5e4b.exe	26
PID 2276 wrote to memory of 2748	2276	23ac2d81fea6facbc3902139e14e5e4b.exe	26
PID 2276 wrote to memory of 2748	2276	23ac2d81fea6facbc3902139e14e5e4b.exe	26
PID 2276 wrote to memory of 2868	2276	23ac2d81fea6facbc3902139e14e5e4b.exe	30
PID 2276 wrote to memory of 2868	2276	23ac2d81fea6facbc3902139e14e5e4b.exe	30
PID 2276 wrote to memory of 2868	2276	23ac2d81fea6facbc3902139e14e5e4b.exe	30
PID 2276 wrote to memory of 2868	2276	23ac2d81fea6facbc3902139e14e5e4b.exe	30
PID 2868 wrote to memory of 2284	2868	cmd.exe	28
PID 2868 wrote to memory of 2284	2868	cmd.exe	28
PID 2868 wrote to memory of 2284	2868	cmd.exe	28
PID 2868 wrote to memory of 2284	2868	cmd.exe	28

C:\Users\Admin\AppData\Local\Temp\23ac2d81fea6facbc3902139e14e5e4b.exe
"C:\Users\Admin\AppData\Local\Temp\23ac2d81fea6facbc3902139e14e5e4b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\23ac2d81fea6facbc3902139e14e5e4b.exe
  C:\Users\Admin\AppData\Local\Temp\23ac2d81fea6facbc3902139e14e5e4b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\23ac2d81fea6facbc3902139e14e5e4b.exe" /TN QxutJGth3fd4 /F
    3⤵
    - Creates scheduled task(s)
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN QxutJGth3fd4 > C:\Users\Admin\AppData\Local\Temp\uURdqm9tr.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN QxutJGth3fd4
1⤵
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2276-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2276-22-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/2276-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2276-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-55-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2532-3-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2532-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2532-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2532-16-0x0000000024D90000-0x0000000024FEC000-memory.dmp

Filesize
2.4MB

Download
memory/2532-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2532-54-0x0000000024D90000-0x0000000024FEC000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads